18 lines
963 B
Text
18 lines
963 B
Text
|
|
rule VULN_Dell_BIOS_Update_Driver_DBUtil_May21 {
|
|
meta:
|
|
description = "Detects vulnerable DELL BIOS update driver that allows privilege escalation as reported in CVE-2021-21551 - DBUtil_2_3.Sys - note: it's usual location is in the C:\\Windows\\Temp folder"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/"
|
|
date = "2021-05-05"
|
|
score = 60
|
|
hash1 = "0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5"
|
|
hash2 = "ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1"
|
|
id = "6d46866e-40fb-5fbf-b159-6bf688e638cb"
|
|
strings:
|
|
$s1 = "\\DBUtilDrv2" ascii
|
|
$s2 = "DBUtil_2_3.Sys" ascii fullword
|
|
$s3 = "[ Dell BIOS Utility Driver - " ascii fullword
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 50KB and all of them
|
|
}
|